JPCERT/CC found Lazarus-linked malicious PyPI packages that imitated legitimate Python crypto libraries, including typosquatted names around pycrypto. The packages carried an XOR-encoded DLL in test.py that could be decoded and launched through __init__.py, then executed Comebacker with rundll32 and in-memory payload handling. Comebacker posted encoded host data to C2 endpoints such as chaingrown.com/manage/manage.asp and could receive and execute Windows executables in memory. JPCERT/CC tied the tooling to Lazarus through overlap with earlier Comebacker use against security researchers and code traits also seen in BLINDINGCAN, while noting package download counts in the hundreds to low thousands.